Announcement

Collapse
No announcement yet.

Passive Ethernet TAP

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Passive Ethernet TAP

    A friend of my is running a business; he asked me for a solution to monitor all the Yahoo Messenger traffic. My only idea was to put an old hub between company core switch and the router (the default gateway). As the hub is only 10Mbit Half, I'm looking for another solution.
    I've tried to create a passive physical network TAP (the active ones are very nice but they cost a lot) but now I'm facing a new challenge : how can I combine both Rx signals? The TAP is something like this : two RJ45 connectors for data between switch and router and two more cabled only on pins 3 and 6 (just to capture the Rx form port A and B). Now I need a solution to combine the received signals (RxA and RxB) that enter into the monitoring PC via two different physical NICs into one stream of bits (a logical NIC).
    Thanks alot

  • #2
    Re: Passive Ethernet TAP

    why not just block all messenger traffic?
    your solution, so far, won't record just messenger traffic, but everything.. how do you plan to filter it, and then return it in a useable format ?
    dependent on your switching or routing technology - they may already have
    "mirror" ports available


    Also - before you commence this, ensure your client has covered his butt legally speaking - ie, told the employees their communications might be monitored.
    I respect an employer's right to monitor activity on their network, even when it might extend to personal use. I don't respect an employer's right to do it without informing the employees..
    Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

    Comment


    • #3
      Re: Passive Ethernet TAP

      I already suggest him to block the entire YM! traffic but refused this approach.
      The "mirroring port" solution is not working as the switched LAN is made only with unmanaged switches.
      Yes, the all traffic will "mirrored" via those two traps. The filtering and decoding job will be made by a very simple and free tool called SniffIM (I've tested using an old HUB and is working as it should ); unfortunately, this soft is available only for MS Windows (I didn't managed to find an equivalent solution for Linux).
      In Linux I can "bond" the received traffic from both NICs and "listen" the combined traffic via the resulting bond virtual NIC. In Windows I have no idea how to solve this problem.

      Legally speaking, he MUST inform his employs about this thing, otherwise he would violate applicable laws.

      Comment


      • #4
        Re: Passive Ethernet TAP

        Buy a small inexpensive managed switch that you can place in between the main switch and the router. Then you can configure port mirroring on the managed switch. Here's an example of one:

        http://www.netgear.com/Products/Swit...Specifications

        Comment


        • #5
          Re: Passive Ethernet TAP

          I don't want to mess their network topology.
          I have two strong enough reasons for not using another switch : First : adding a new single-point-of-failure to the network (if this cheap switch stops working, the entire Internet connection is lost) and Second : let's assumed that the link between core switch and gateway is 100Mbit Full Duplex, which is, at least theoretically, a 200Mbit throughput. Here are two possible situations : the sniff machines receives only a half of traffic or the link that goes into this machine is 1Gbps.
          As I've tried in the first post to explain : I need a solution for combining the two Rx signals into a single one stream no matter how many NICs I'm using : the single requirement is to work in any flavor of Windows

          Comment


          • #6
            Re: Passive Ethernet TAP

            IMHO, you're making this too complicated. There's no difference with using the switch than your original idea to use a hub. It's the same idea, just using a switch instead of a hub.

            What if the switch fails? What if the internet goes down? What if your email gets blocked? What if the sun stops shining? There are a million ifs that could cause problems.

            I do this all the time with a small, inexpensive managed switch. Just get it, install it, configure it, and get on with your life.

            No offense intended.

            Comment


            • #7
              Re: Passive Ethernet TAP

              the other concern I have with your initial proposal is that you may be violating cabling and electrical rules in your country.

              I know that in Australia at the very least, it is against the law for a person who is not a licensed cabler to connect a cable to the non-public end of a public telephone or switched network unless that cable is pre-terminated or has been made by a licensed cabler.
              doing so would also void your insurance, if there happened to be a fire for instance.

              What i mean by this is, in our cupboard-of-crap, we had a nice long cable, which the boss asked me to connect to the switch, and run along the walls down to an office that was due to be used. The cable was not preterminated, and seems to have been made by the previous engineers.
              By connecting that cable to our switch, which was in turn connected to our 877 router, which was in turn connected to the PSTN, I would have been violating the law.

              Long story short, boss purchased appropriate cable.

              I guess my point here is - you are not sufficiently experienced in the manufacture of appropriate network cabling - this is demonstrated by the fact that you are needing to ask how to do it.
              If you desperately need to do it the way you want to do it, buy a passive, or active, ethernet tap and write it off as a business expense.

              What if your cable you make isn't pinned properly, and shorts the router? All of a sudden, you've made a very expensive death of a single point of failure within the network.


              of course - if you're insistent, then a google search for "passive ethernet tap" should return plenty of options, including Build-Your-Own, and items you can purchase.
              Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

              Comment


              • #8
                Re: Passive Ethernet TAP

                Guys, thanks for your concern but you comments didn't really help me.
                I'm still not solve the problem : how can I "bond" or combine Rx signals from two different NICs into one stream to be able to monitor it?

                Comment


                • #9
                  Re: Passive Ethernet TAP

                  Originally posted by cielo View Post
                  Guys, thanks for your concern but you comments didn't really help me.
                  I'm still not solve the problem : how can I "bond" or combine Rx signals from two different NICs into one stream to be able to monitor it?
                  Originally posted by tehcamel View Post
                  What if your cable you make isn't pinned properly, and shorts the router? All of a sudden, you've made a very expensive death of a single point of failure within the network.

                  of course - if you're insistent, then a google search for "passive ethernet tap" should return plenty of options, including Build-Your-Own, and items you can purchase.
                  http://lmgtfy.com/?q=passive+ethernet+taps

                  You should also realise that posts like "your comments didn't help me solve my problem" will not necessarily endear those who freely give of their time and experience to continue doing so. If you catch my drift?
                  Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

                  Comment


                  • #10
                    Re: Passive Ethernet TAP

                    All,
                    Lets keep this professional please
                    Tom Jones
                    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                    PhD, MSc, FIAP, MIITT
                    IT Trainer / Consultant
                    Ossian Ltd
                    Scotland

                    ** Remember to give credit where credit is due and leave reputation points where appropriate **

                    Comment


                    • #11
                      Re: Passive Ethernet TAP

                      Lets summary few thinks :
                      I already have the passive tap and is working, or at least half of it (I can capture the traffic just one way) but not in both directions.
                      I need a solution for combine the Rx signals into one stream because the sniffing yahoo tool cannot monitor multiple NICs.

                      @Offtopic : If you think you can help me with a solution in this way, I will be glad to hear it; if you give me links to google or "RTFM", you can sent them via PM not on topic (maybe I'm not the only one interested in this area)

                      Comment

                      Working...
                      X